Managed Security Services

Fire-Proofing Your Network With UTM,
Part 3: Layering on anti-X defenses — continued

by Lisa Phifer VP Core Competence, Inc. [December 31, 2007]

Filtering Spam
Businesses that use UTM anti-virus do so to complement rather than replace endpoint virus scanners. UTM anti-spam poses a different set of benefits and challenges. Most malware is carried by unsolicited e-mail, so stopping spam can strengthen security. However, most of us deploy anti-spam primarily to improve efficiency.

According to Sophos, spam traffic doubled in 2006. Worse, spam is getting harder to stop. One third of spam now uses images to evade text filters, while botnets send spam from tens of thousands of compromised hosts to elude source IP filters. UTM can put a big dent in spam traffic, but it is not a substitute for best-of-breed anti-spam servers.

UTM appliances separate the wheat from the chaf by quickly discarding mail from known spammers, relaying mail from trusted sources, and then filtering the rest for spam keywords, images, and URLs. MX1004 anti-spam uses configured black and white lists to perform the first two steps and a large IBM ISS-maintained sample spam database and Bayesian analysis for the final pass (Figure 3-8).

The MX1004's spam parameters are very simple—and limited. Filtering can be applied to SMTP or POP or both (but not IMAP). The appliance's SMTP relay can be configured to authenticate local users before accepting outgoing messages. Spam can be tagged or stripped, but cannot be quarantined for user review. Global black lists, white lists, and a slider-based spam threshold apply globally to all users. (According to IBM ISS, per-user/group spam settings are being added later in 2008.)

As with IPS, spam filters must strike a balance. IBM ISS claims to find over 95 percent of spam while incorrectly classifying just one in 10,000 non-spam (ham) messages. To assess this, we compared POP3 client statistics, before and after UTM deployment. As shown in Figure 3-9, after pulling down 20K real-life messages, spam reaching this client dropped from 68 percent to 22 percent when the MX1004 filtered at moderate sensitivity. When we cranked that threshold down, the client received just 10 percent spam. While not quite 95 percent, we noted that remaining spam included many messages with spoofed From: fields that had passed through our configured white list.

Clearly, UTM anti-spam can reduce mail server and end user workload. But there are tradeoffs. Obviously, there will be a performance hit when enabling UTM anti-spam. For example, the MX1004 can be configured to log spam alerts—but doing so could fill your log up fast. On the other hand, the MX1004 does not chew up storage by quarantining spam—but users cannot recover the infrequent false positive message.

Finally, some of our POP3 clients hung or displayed errors when we set the MX1004 to delete spam. The appliance cannot actually delete spam, since POP3 clients expect to receive a certain number of messages. So the appliance sends a brief replacement notice for each spam. But, because replacements were shorter than spam, the Norton Internet Security programs used on those clients were waiting for deleted bytes that never arrived. We turned off Norton inbound mail filtering and did not encounter this with other endpoint programs. However, this demonstrates that dropping anything into a network has some potential to cause interoperability problems. To avoid surprises, test your UTM appliance with every desktop environment that you support.

Go to page four: Filtering web traffic >